OSINT Lookups

Step #1 - Open /home/sandbox/sandbox/transform.cfg in a text editor

Step #2 - Modify the configuration by adding or modifying the properties on this page

Step #3 - Save the file and restart the sandbox service

Enable OSINT lookups

To enable reputation lookups and external tools, use the following settings.

transform.cfg
Copy
Property nameDefault valueDescription
runOSINTLookupstrueMain switch to enable reputation lookups and external tool integrations on the input sample
runExtendedOSINTLookupsfalseEnable execution for extracted IOCs
runOSINTLookupsOnExtractedFilesfalseEnable execution for extracted files
runOSINTLookupsDistributedTimeoutMs1 minuteExecution timeout

OPSWAT Reputation

Enable OPSWAT Reputation lookups

transform.cfg
Copy

The API key can be configured by the user manually, or it can be part of the license file. A demo API key is used if not specified by the user or license.
Property NameDefault ValueDescription
enableOpswatReputationAPItrueSwitch to enable / disable OPSWAT Reputation lookups
opswatReputationAPIURLhttps://api.metadefender.com/API URL
opswatReputationAPIKeyAPI key

OPSWAT MultiScanning

Enable OPSWAT MultiScanning with MetaDefender Cloud or MetaDefender Core

transform.cfg
Copy
Property NameDefault ValueDescription
enableMetaDefenderAPIfalseSwitch to enable / disable OPSWAT MultiScanning
metaDefenderUseCloudAPItrueIf set to true, multiscan requests will be sent to MetaDefender Cloud If set to false, multiscan requests will be sent to MetaDefender Core
metaDefenderAPIURLhttps://api.metadefender.com/API URL (could also point to local instance of MDCore, e.g.: http://10.0.0.5:8008/ )
metaDefenderAPIKeyAPI key
metaDefenderScanRuleWorkflow rule to use
metaDefenderScanTimeout1 minuteExecution timeout

OPSWAT Fuzzy Hash Lookup

Fuzzy hashes are basically a SHA-256 of a long string that is built using a streamlined order, containing very high-level, but specific attributes of an input file. It is a proprietary algorithm and format developed by OPSWAT to enable detection of clusters of files / unknown malware. MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox) calculates FSIO Fuzzy hash for each appropriate input sample and looks for this hash in a specifically defined list.

Fuzzy hash lookup results are displayed in OSINT Lookup section

Please note, that you may not see result for every scanned malicious data.

The feature is enabled by default. To turn it off do the following steps:

transform.cfg
Copy

Offline URL Reputation

Enable offline URL reputation lookups based on Offline URL Reputation Overview.

This is an experimental feature, only enabled in offline mode by default.
transform.cfg
Copy

Virus Total

Enable Virus Total lookups

transform.cfg
Copy
Property NameDefault ValueDescription
enableVirusTotalLookupsfalseSwitch to enable / disable Virus Total lookups
virusTotalAPIKeyAPI key
virusTotalQueriesPerMinute4Rate limiter for Virus total API queries / second. Value '0' means no rate limit.
virusTotalDefaultMaliciousEngineCount3Malicious lookup verdict if at least the configured number of providers detected the input as malicious

Google Safe Browsing

Enable Google Safe Browsing lookups

transform.cfg
Copy
Property NameDefault ValueDescription
enableSafebrowsingLookupsfalseSwitch to enable / disable Safe Browsing lookups
safebrowsingAPIAPI key
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Dynamic Analysis

See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet

On This Page
OSINT LookupsEnable OSINT lookupsOPSWAT ReputationOPSWAT MultiScanningOPSWAT Fuzzy Hash LookupOffline URL ReputationVirus TotalGoogle Safe Browsing